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Motivation 

* Embedded  processors  closely  integrated  into  the  fabric  of 
everyday  life 

• Anything  with  a powerplug  is  likely  to  already  be  equipped  with  an 
embedded  processor 

• Additional  battery-operated  embedded  devices  are  emerging  (e.g., 
thermometers) 

* Embedded  processors  enable  new  features 

• Unfortunately,  features  increase  complexity 

* Steady  increase  in  complexity  results  in  bugs,  which  require 
software  updates  to  fix 

Scary:  Embedded  systems  with  network 
access  and  code  update  features 
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Example:  Vehicular  Embedded 


Technology  trends 

• Steady  increase  in  number  and 
complexity  of  processing  units 

• GPS,  in-car  entertainment,  safety 
systems 

• Car  communication  systems 

• DSRC,  cellular  technologies, 
BlueTooth,  USB 

Security  challenges: 

• Vehicular  malware! 


Challenges 

■ Ensure  integrity  of  code  executing  on 
embedded  device 

• Ensure  result  obtained  was  created  by  correct 
code 

■ Secure  code  updates 

■ Recovery  after  attack 

• Re-establish  code  integrity 

• Re-establish  secret  and  authentic  keys 


How  can  we  trust  our  devices? 


■ How  do  we  securely  use  (potentially) 
compromised  devices  or  devices  we  don’t 


Attacker  Model 


■ Attacker  controls  software  on  embedded  system 

• Complete  control  over  OS,  memory 

• Injection  of  malicious  code 

■ No  hardware  modifications,  verifier  knows  HW  spec 

• Hardware  attacks  are  much  harder  to  perform,  requires 
physical  presence 

• Very  challenging  to  defend  against 

■ In  this  talk,  assume  verifier  controls  network,  such 
that  verified  device  cannot  contact  external  helpers 
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Approaches  to  Ensure  Code  Integrity 

■ Hardware-based 

• Fixed  ROM-based  code 

• Cannot  support  code  updates 

• TCG 

• Requires  extra  hardware,  potentially  high  unit  cost 

■ Software-based 

• Software-based  attestation 

• Need  to  guard  against  proxy  attack 
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Software-based  Attestation  Overview 

■ External,  trusted  verifier  knows  expected  memory 
content  of  device 

™ Verifier  sends  challenge  to  untrusted  device 

• Assumption:  attacker  has  full  control  over  device’s 
memory  before  check 

■ Device  returns  memory  checksum,  assures  verifier 
of  memory  correctness 

External  Verifier  Embedded  device 

Challenge 


Checksum  of  memory 

Expected  device  Device  Checksum 

memory  contents  memory  function 
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■ Add  chksum  function  execution  state  to  checksum 

• Include  program  counter  (PC)  and  data  pointer 

■ In  memory  copy  attack,  one  or  both  will  differ  from 
original  value 

■ Attempts  to  forge  PC  and/or  data  pointer  increases 
attacker’s  execution  time 

Malicious  Code 


ICE  Assembler  Code 

Generate  random  number  using  T-Function 

mov  rl5,  &0xl30 
mov  rl5,  &0xl38 
bis  #0x5,  &0xl3A 
add  &0xl3A,  rl5 

Load  byte  from  memory 

add  rO,  r6 
xor  @rl3+,  r6 

Incorporate  byte  into  checksum 

add  rl4,  r6 
xor  r5,  r6 
add  rl5,  r6 
xor  rl3,  r6 
add  r4,  r6 
rla  r4 
adc  r4 
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ICE  Protocol 

Wireless  link 

t,:  nonce,  input 
t2:  cksum 


output 


Node 


• Successful  verification  if: 
t2  - t,  < expected  time 
and 

cksum  ==  exp.  cksum 


nonce- 


Verf.  Func.  — ►cksum 


input 


Target  Code 


►output 
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ICE  Verification  Function 

■ Implemented  as  self-checksumming  code 

• Computes  checksum  over  its  own  instructions 

■ Set  up  untampered  execution  environment 

• CPU  state  for  atomic  execution 

• E.g.,  turn  off  interrupts 

■ Compute  checksum 

• Using  memory  contents 
and  CPU  state 

■ Checksum  verifies  integrity 

and  correct  set-up  of 
execution  environment 


Verification  Function 


Target  Code 
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ICE  Properties 

■ Given  target  code  T,  verifier  obtains  property 
that  sensor  node  S correctly  executes  T, 
untampered  by  any  other  (malicious)  code 
potentially  present  on  S 

■ By  incorporating  node  ID  into  checksum 
computation,  we  can  authenticate  response 
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Key  Establishment 

■ How  to  establish  a shared  secret? 

• Attacker  may  know  entire  memory  contents  of  a 
newly  shipped  node 

• After  a node  has  been  compromised,  attacker 
may  have  altered  authentic  public  keys  or  knows 

secret  keys 

• Without  authentication  Diffie-Hellman  protocol  is 
vulnerable  to  man-in-the-middle  attack: 

• A ->  B:  ga  mod  p 

• B A:  gb  mod  p 
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Problem  Formulation 

■ Given  nodes  in  a sensor  network,  how  can  any  pair 
of  nodes  establish  a shared  secret  without  any  prior 
authentic  or  secret  information? 

■ In  theory,  this  is  impossible  ...  because  of  active 
MitM  attack 

■ Assumptions 

• Attacker  cannot  compute  faster  than  sensor  node 

• Each  node  has  a unique,  public,  unchangeable  identity 
stored  at  a fixed  memory  address 

• Secure  source  of  random  numbers 
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ICE  Key  Establishment 

- Intuition:  leverage  ICE  to  compute  checksum  faster 
than  any  other  node,  and  use  that  checksum  as  a 
short-lived  shared  secret 

■ Challenge:  how  to  use  short-lived  shared  secret  to 
bootstrap  long-lived  secret? 

• Authenticate  Diffie-Heilman  public  key 
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First  Attempt 


Pick  random  a Pick  random  b 

Compute  ga  mod  p Compute  gb  mod  p 

t0:  ga  mod  p 

ga  mod  p = challenge 
Compute  cksum  c 
t|:  gb  mod  p,  MAC(c,  gb  mod  p) 


Second  Attempt 


Pick  random  a 
Compute  ga  mod  p 


t0:  ga  mod  p 


ga  mod  p = challenge 


Compute  cksum  c 
Pick  random  b 
Compute  gb  mod  p 
tj:  gb  mod  p,  MAC(c,  gb  mod  p) 
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Goal:  A and  B can  authenticate  each  other’s  messages 
Pick  random  v2  Pick  random  w2 

v-|  = H(v2),  v0  = H(v1)  w1=H(w2),  w0=H(w1) 

one-way  chain:  Vo  ■*-  v1  <-  v2  w0  <-  w1  <-  w2 

Assume:  A knows  authentic  w0  B knows  authentic  v0 

V1  , Mg  , MAC(  V2,  Mg  ) 

Wi  , Mb  , MAC(  w2,  Mb  ) 


w- 
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A ICE  Key  Establishment 


Pick  random  a,  ga  = ga  mod  p 
Compute  g’a  = H(ga),  g”a  = H(g’a),  g”a  «-  g a — ga 

t.  ’ ’ 

0-  9 a 

* g”a  = challenge 
Compute  cksum  c 

w0  wi  w2 


t1 : Wo  MAC(  c,  w0  ) 


random  b,  g mod  p 
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w1;  gu  mod  p,  MAC(w2  , g mod  p) 
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Summary:  ICE  Key  Re-Establishment 

■ Protocol  can  prevent  man-in-the-middle 
attacks  without  authentic  information  or 
shared  secret 

■ Attacker  can  know  entire  memory  content  of 
both  parties  before  protocol  runs 

■ Forces  attacker  to  introduce  more  powerful 
node  into  network,  prevents  remote  attacks 

■ Future  work:  relax  strong  assumption  that 
attacker  cannot  compute  faster 
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Summary 

■ Software-based  attestation  provides  interesting 
properties,  but  many  challenges  remain 

• Defeat  proxy  attacks  in  wireless  environments 

• Extend  properties  to  general  computation 

• Build  systems  with  perfect  detection  of  code  integrity 
attacks 

• Recover  from  malicious  code  infection 

• Provide  human-verifiable  guarantees 

■ Study  use  of  hardware-based  support 

• Determine  minimal  hardware  requirements  to  provide 
embedded  systems  security 
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